PCI – Don’t end up on the front page

Target announced today that hackers breached up to 40 million payment cards from its in-store point of sale (POS) systems, clouding the weekend before Christmas for a lot of people.  This unfortunate event should serve as a reminder of the criticality of customer data to all businesses that handle any type of debit or credit card data.  Regardless of your size or level of interaction with debit and credit cards, you are expected to comply with the Payment Card Industry Data Security Standard (PCI DSS).  At its core, the PCI DSS provides a framework for developing a security process applicable to payment card data.  This includes prevention, detection, and appropriate reaction to security incidents.  A breach resulting in non-compliance can result in negative brand awareness (as Target can attest to), revocation of accepting credit card for payments, and significant fines (>$100,000) levied by your financial institution or credit card processors.

The PCI DSS is segmented into 12 high level requirements:

PCI DSS High Level Overview

Build and Maintain a Secure Network and Systems 1.  Install and maintain a firewall configuration to protect cardholder data
2.  Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3.  Protect stored cardholder data
4.  Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5.  Protect all systems against malware and regularly update anti-virus software or programs
6.  Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7.  Restrict access to cardholder data by business need to know
8.  Identify and authenticate access to system components
9.  Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10.  Track and monitor all access to network resources and cardholder data
11.  Regularly test security systems and processes
Maintain an Information Security Policy 12.  Maintain a policy that addresses information security for all personnel

 

The 12 high level requirements are broken down into over 220 individual requirements that must be met for PCI compliance, based on a company’s level payment card information access.  The full list can be found here:     https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

There is also specific in-depth guidance related to wireless networking, virtualization, cloud computing, tokenization, and mobile application development that should be followed.  These requirements can be found on the PCI SSC web site (https://www.pcisecuritystandards.org)

What clients should do:

  • Identify each system (e.g. server, firewall, router, switch) that processes, transmits, or stores payment card information
  • Document the flow of payment card data through each system
  • Determine which PCI Self Assessment Questionnaire (PCI SAQ) is applicable: https://www.pcisecuritystandards.org/documents/pci_dss_SAQ_Instr_Guide_v2.1.pdf
  • Remediate components based on the appropriate PCI SAQ
  • Consider hiring a PCI Qualified Security Assessor (PCI QSA) to determine compliance status

Although there are stringent requirements for PCI compliance, the work done up front can help ensure you don’t end up as front page news.

**Disclaimer – PCI Compliance is a complicated regulation with many nuances that are not covered here.  This is intended to provide a high level overview of PCI DSS and not a comprehensive guide to adherence.  West Monroe Partners can provide more in depth security assessment services that encompass PCI considerations

Your email address will not be published. Required fields are marked *

Phone: 312-602-4000
Email: marketing@westmonroepartners.com
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons